replace links/references to ~/private/FOO with just ~/FOO

TODO.md

@@ -46,7 +46,7 @@
     - otherwise anyone can `systemd-run --user ...` to potentially escape a sandbox
     - <https://github.com/flatpak/xdg-dbus-proxy>
   - remove `.ssh` access from Firefox!
-    - limit access to `~/private/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
+    - limit access to `~/knowledge/secrets` through an agent that requires GUI approval, so a firefox exploit can't steal all my logins
   - port sane-sandboxed to a compiled language (hare?)
     - it adds like 50-70ms launch time _on my laptop_. i'd hate to know how much that is on the pinephone.
 - make dconf stuff less monolithic

hosts/common/home/keyring/default.nix

@@ -9,9 +9,9 @@ in
 {
   sane.user.persist.byStore.private = [ ".local/share/keyrings" ];
 
-  sane.user.fs."private/.local/share/keyrings/default" = {
+  sane.user.fs.".local/share/keyrings/default" = {
     generated.command = [ "${init-keyring}/bin/init-keyring" ];
-    wantedBy = [ config.sane.fs."/home/colin/private".unit ];
+    # wantedBy = [ config.sane.fs."/home/colin/private".unit ];
     wantedBeforeBy = [ ];  # don't created this as part of `multi-user.target`
   };
 }

hosts/common/home/keyring/init-keyring

@@ -3,7 +3,7 @@
 # initializes the default libsecret keyring (used by gnome-keyring) if not already initialized.
 # this initializes it to be plaintext/unencrypted.
 
-ringdir=/home/colin/private/.local/share/keyrings
+ringdir=/home/colin/.local/share/keyrings
 if test -f "$ringdir/default"
 then
   echo 'keyring already initialized: not doing anything'

hosts/common/programs/firefox.nix

@@ -248,7 +248,7 @@ in
           "Pictures/servo-macros"
         ] ++ lib.optionals cfg.addons.browserpass-extension.enable [
           # browserpass needs these paths:
-          # - private/knowledge/secrets/accounts: where the encrypted account secrets live
+          # - knowledge/secrets/accounts: where the encrypted account secrets live
           # at least one of:
           # - .config/sops: for the sops key which can decrypt account secrets
           # - .ssh: to unlock the sops key, if not unlocked (`sane-secrets-unlock`)
@@ -257,7 +257,7 @@ in
           # - see if ssh has a more formal type of subkey system?
           ".ssh/id_ed25519"
           # ".config/sops"
-          "private/knowledge/secrets/accounts"
+          "knowledge/secrets/accounts"
         ];
         fs.".config/sops".dir = lib.mkIf cfg.addons.browserpass-extension.enable {};  #< needs to be created, not *just* added to the sandbox
 
@@ -341,9 +341,9 @@ in
         '';
 
         # TODO: env.PASSWORD_STORE_DIR only needs to be present within the browser session.
-        env.PASSWORD_STORE_DIR = "/home/colin/private/knowledge/secrets/accounts";
+        env.PASSWORD_STORE_DIR = "/home/colin/knowledge/secrets/accounts";
         # alternative to PASSWORD_STORE_DIR, but firejail doesn't handle this symlink well
-        # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "private/knowledge/secrets/accounts";
+        # fs.".password-store".symlink.target = lib.mkIf cfg.addons.browserpass-extension.enable "knowledge/secrets/accounts";
       };
     })
     (mkIf config.sane.programs.firefox.enabled {

hosts/common/programs/git.nix

@@ -28,7 +28,6 @@ in
       "dev"
       "knowledge"
       "nixos"
-      "private/knowledge"
       "ref"
       ".ssh/id_ed25519"
     ];

hosts/common/programs/neovim.nix

@@ -98,7 +98,6 @@ in
       "dev"
       "knowledge"
       "nixos"
-      "private/knowledge"
       "records"
       "ref"
       "tmp"

hosts/common/programs/tangram.nix

@@ -42,7 +42,7 @@ in
       # dconf achieves atomic writes via `mv`, so a symlink doesn't work
       # moreover, i have to persist the *whole* directory:
       # - `user-db:tangram/user` causes a schema failure
-      # - bind-mounting `~/private/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
+      # - bind-mounting `~/.config/dconf/tangram` causes dconf to try a cross-fs `mv`, which fails
       # - dconf provides no way to specify an alternate ~/.config/dconf dir, except by overriding XDG_CONFIG_HOME
       # { type = "file"; path = ".config/dconf/tangram"; method = "bind"; }
       # ".config/dconf"

modules/persist/stores/private.nix

@@ -34,7 +34,7 @@ lib.mkIf config.sane.persist.enable
       "noauto"  # don't try to mount, until the user logs in!
       "nofail"
       # "nodev"   # "Unknown parameter 'nodev'". gocryptfs requires this be passed as `-ko nodev`
-      # "noexec"  # handful of scripts in ~/private/knowledge that are executable
+      # "noexec"  # handful of scripts in ~/knowledge that are executable
       # "nosuid"  # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
       "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
       # "quiet"

pkgs/additional/sane-scripts/src/sane-wipe

@@ -16,12 +16,12 @@ wipe_browser() {
   # remove chromium/epiphany/firefox/librewolf artifacts
   rm -rf \
     ~/.cache/BraveSoftware/* \
-    ~/.cache/chromium \
+    ~/.cache/chromium/* \
     ~/.cache/epiphany/* \
     ~/.cache/librewolf/* \
     ~/.cache/mozilla/firefox/* \
     ~/.config/BraveSoftware/* \
-    ~/.config/chromium \
+    ~/.config/chromium/* \
     ~/.librewolf/default/* \
     ~/.local/share/epiphany/* \
     ~/.mozilla/* \
@@ -46,9 +46,9 @@ wipe_flare() {
 
   dconf reset -f /de/schmidhuberj/Flare/
 
-  rm -rf ~/.local/share/flare
+  rm -rf ~/.local/share/flare/*
 
-  echo "you may repair Flare. after doing so, mv ~/.local/share/flare ~/private/.local/share/flare to persist"
+  echo "Flare is wiped: you may now repair it."
 }
 
 wipe_fractal() {